From: aranea@aixah.de (Luis Ressel)
Date: Tue, 14 Nov 2017 03:03:36 +0100
Subject: [refpolicy] [PATCH] Allow gtk apps to map usr_t files
Message-ID: <20171114020336.28983-1-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This is required to access gtk's icon cache. IIRC, past discussion on
the ML came to the conclusion that adding a new domain for this would be
overkill.
---
 blueman.te     | 1 +
 evolution.te   | 1 +
 gpg.te         | 1 +
 mozilla.te     | 1 +
 openoffice.te  | 1 +
 thunderbird.te | 1 +
 wireshark.te   | 1 +
 wm.te          | 1 +
 8 files changed, 8 insertions(+)

diff --git a/blueman.te b/blueman.te
index 3a5032e..c00e3cc 100644
--- a/blueman.te
+++ b/blueman.te
@@ -45,6 +45,7 @@ dev_rw_wireless(blueman_t)
 domain_use_interactive_fds(blueman_t)
 
 files_list_tmp(blueman_t)
+files_map_usr_files(blueman_t)
 files_read_usr_files(blueman_t)
 
 auth_use_nsswitch(blueman_t)
diff --git a/evolution.te b/evolution.te
index ed56f43..a9ffea3 100644
--- a/evolution.te
+++ b/evolution.te
@@ -182,6 +182,7 @@ dev_read_urand(evolution_t)
 
 domain_dontaudit_read_all_domains_state(evolution_t)
 
+files_map_usr_files(evolution_t)
 files_read_usr_files(evolution_t)
 
 fs_dontaudit_getattr_xattr_fs(evolution_t)
diff --git a/gpg.te b/gpg.te
index d55eeaf..d860aeb 100644
--- a/gpg.te
+++ b/gpg.te
@@ -338,6 +338,7 @@ dev_read_rand(gpg_pinentry_t)
 
 domain_use_interactive_fds(gpg_pinentry_t)
 
+files_map_usr_files(gpg_pinentry_t)
 files_read_usr_files(gpg_pinentry_t)
 
 fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
diff --git a/mozilla.te b/mozilla.te
index 79e0cd4..5a58ee9 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -170,6 +170,7 @@ dev_write_sound(mozilla_t)
 domain_dontaudit_read_all_domains_state(mozilla_t)
 
 files_read_etc_runtime_files(mozilla_t)
+files_map_usr_files(mozilla_t)
 files_read_usr_files(mozilla_t)
 files_read_var_files(mozilla_t)
 files_read_var_lib_files(mozilla_t)
diff --git a/openoffice.te b/openoffice.te
index 3c42014..eb10349 100644
--- a/openoffice.te
+++ b/openoffice.te
@@ -80,6 +80,7 @@ files_getattr_all_dirs(ooffice_t)
 files_getattr_all_files(ooffice_t)
 files_getattr_all_symlinks(ooffice_t)
 files_read_etc_files(ooffice_t)
+files_map_usr_files(ooffice_t)
 files_read_usr_files(ooffice_t)
 
 fs_getattr_xattr_fs(ooffice_t)
diff --git a/thunderbird.te b/thunderbird.te
index 865de1d..70ff0f0 100644
--- a/thunderbird.te
+++ b/thunderbird.te
@@ -86,6 +86,7 @@ dev_read_urand(thunderbird_t)
 dev_dontaudit_search_sysfs(thunderbird_t)
 
 files_list_tmp(thunderbird_t)
+files_map_usr_files(thunderbird_t)
 files_read_usr_files(thunderbird_t)
 files_read_etc_runtime_files(thunderbird_t)
 files_read_var_files(thunderbird_t)
diff --git a/wireshark.te b/wireshark.te
index a398fd7..ca4289f 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -86,6 +86,7 @@ dev_read_rand(wireshark_t)
 dev_read_sysfs(wireshark_t)
 dev_read_urand(wireshark_t)
 
+files_map_usr_files(wireshark_t)
 files_read_usr_files(wireshark_t)
 
 fs_getattr_all_fs(wireshark_t)
diff --git a/wm.te b/wm.te
index b9c0498..e54f283 100644
--- a/wm.te
+++ b/wm.te
@@ -56,6 +56,7 @@ dev_rw_wireless(wm_domain)
 dev_write_sound(wm_domain)
 
 files_read_etc_runtime_files(wm_domain)
+files_map_usr_files(wm_domain)
 files_read_usr_files(wm_domain)
 
 fs_getattr_all_fs(wm_domain)
-- 
2.15.0